From 13a0860dd333072f4e327773ff9df40adf1fdec9 Mon Sep 17 00:00:00 2001 From: Tyler Koenig Date: Fri, 29 May 2026 20:05:28 -0400 Subject: [PATCH] fix(security): patch Docker Scout CVEs in x/net and Alpine packages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Upgrade golang.org/x/net v0.54.0 → v0.55.0 (CVE-2026-41589 critical, CVE-2025-60876, CVE-2026-42502, CVE-2026-42506, CVE-2026-25681, CVE-2026-35414). Add apk upgrade to Dockerfile for openssh and busybox CVEs (CVE-2026-25680, CVE-2026-27136, CVE-2026-35386, CVE-2026-35387, CVE-2026-35388). --- Dockerfile | 1 + go.mod | 2 +- go.sum | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9978b2e..f34cf5c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,6 +18,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \ FROM alpine:3.23 WORKDIR /app RUN apk add --no-cache ca-certificates openssh-client +RUN apk upgrade --no-cache RUN mkdir /data COPY --from=builder /app/uptop . diff --git a/go.mod b/go.mod index b5d20c2..9b9e1fc 100644 --- a/go.mod +++ b/go.mod @@ -53,7 +53,7 @@ require ( golang.org/x/crypto v0.52.0 // indirect golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect golang.org/x/mod v0.35.0 // indirect - golang.org/x/net v0.54.0 // indirect + golang.org/x/net v0.55.0 // indirect golang.org/x/sync v0.20.0 // indirect golang.org/x/sys v0.45.0 // indirect golang.org/x/text v0.37.0 // indirect diff --git a/go.sum b/go.sum index db48509..6757ceb 100644 --- a/go.sum +++ b/go.sum @@ -107,8 +107,8 @@ golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM= golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU= -golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w= -golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ= +golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8= +golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww= golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=